Posts Tagged ‘critical’

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

The “Angler” exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

The Google security team discovered several vulnerabilities in current NTP implementations, one of which can lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected.

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible.

Mitigating Circumstances:

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at ntp.org, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey.

[1] http://www.kb.cert.org/vuls/id/852879

[2] http://support.ntp.org/bin/view/Main/SecurityNotice

CVE Impact Details

CVE-2014-9293 authentication ntp will create a weak key if none is provided in the configuration file.

CVE-2014-9295 remote code execution A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

CVE-2014-9296 missing error message In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn’t need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

Almost three months, and thousands of fixes later, more than 300,000 systems are still vulnerable to the Heartbleed bug.Robert Graham of Errata Security revealed on Saturday that a recent scan found that 309,197 servers are still exposed."This indicated people have stopped even trying to patch," Graham wrote in a blog post.Following the April discovery of the OpenSSL bug—which leaves encrypted data open to scammers—panic ensued as websites around the world patched their systems to avoid a breach.At the time of the Heartbleed announcement, Errata found 600,000 vulnerable systems, which dwindled to half that number within the first month. But now, almost three months after the announcement, at least 300,000 sites are still at risk."We should see a slow decrease over the next decade as older systems are slowly replaced," according to Graham, though he’s not confident that all 309,000 will be patched."Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable," he said.

Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity.

This Tuesday, Microsoft will issue Security Updates to address seven major vulnerabilities and all those are important for you to patch, as the flaws are affecting various Microsoft software, including Microsoft Word, Microsoft Office and Internet Explorer.

CRITICAL VULNERABILITY THAT YOU MUST PATCH

Bulletin one is considered to be the most critical one, which will address a the zero-day Remote Code Execution vulnerability, affecting all versions of Internet Explorer, including IE11 in Windows 8.1.

All server versions of Windows are affected by this vulnerability, but at low level of severity because by default, Internet Explorer runs in Enhanced Security Configuration and just because Server Core versions of Windows Server do not include Internet Explorer, so are not affected.

The vulnerability allows a remote attacker to execute arbitrary code using JavaScript, but so far, the zero-day flaw is not known to have been used in any attacks, according to Microsoft. “The Update for Internet Explorer addresses CVE-2014-1770, which we have not seen used in any active attacks.”

Microsoft kept hidden this critical Internet explorer Zero-Day vulnerability from all of us since October 2013, but last month the team at ‘Zero Day Initiative’ disclosed the vulnerability publically when Microsoft failed to respond and patch this flaw within 180 days after receiving the details from security researcher.

The second Bulletin addresses one or more flaws in both Windows and Office products. It is also a Remote Code Execution vulnerability and rated ‘Critical’ on all versions of Windows including Server Core; Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, excluding the Lync Server. The flaw is also rated ‘Important’ for Office 2007 and Office 2010.

These critical security updates are really important for users to patch and both the patches will require a restart after the installation of the new versions.

OTHER IMPORTANT PATCHES TO INSTALL

Remaining five bulletins will address one or more remote code execution vulnerabilities in Office, an information disclosure bugs in Windows, information disclosure bugs in Lync Server, a Denial of Service (DoS) bug in all Windows versions since Vista, and a “tampering” vulnerability in Windows including Windows 7, 8.x and Server 2012.

NOT FOR XP THIS TIME

Microsoft will not release any security update for its older version of Windows XP, like last month it provided an ‘out-of-band security update’ for Windows XP machines affected by the zero-day vulnerability.

Microsoft stopped supporting Windows XP Operating System. So, if you are still running this older version of operating system on your PCs, we again advise you to move on to other operating system in order to receive updates and secure yourself from upcoming threats.

[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well.

Quick Q&A Summary from the webcast:

– The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.

– The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)

– Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC

​- Web servers (https) can not use DTLS.

– OpenVPN’s "auth-tls" feature will likely mitigate all these vulnerabilities

– Even if you use "commercial software", it may still use OpenSSL.

———

The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]

All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs… not so much HTTPS).

I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .